On Fri, 2005-11-25 at 12:20 -0500, Bruce Momjian wrote: > Simon Riggs wrote: > > On Fri, 2005-11-18 at 09:32 -0500, Tom Lane wrote: > > > All known CVE problems are resolved in 8.0.4. > > > > It seems like we need a much clearer resource for security admins to > > check our compliance levels. This could be a source of similar > > refusal-to-implement PostgreSQL at other installations, so could almost > > be regarded as an advocacy issue. Other software projects have been > > criticized badly for their security response and info dissemination - I > > don't believe that applies here, but it does indicate the general > > requirement and its priority. i.e. don't just fix the bugs, tell > > everyone you've fixed the bugs.
> Well, as the original poster mentioned, they were looking for a reason > _not_ to use PostgreSQL, and if that is the goal, you can find a reason, > error numbers or not. I think that's true, but it should be our goal to remove all excuses so that people have to face up to the real issues. I see this as advocacy in many ways. > I am not excited about referencing error numbers from someone else. We > know our errors better than anyone else, so I don't see the point. I think if you don't want to put those on the release notes, thats fine; we know you're busy. Others have spoken in favour of a web page, separate from the release notes, and as Tom points out its easier to do it that way retrospectively anyway. *We* do know our errors, but thats not the point. CVE is becoming an accepted standard for referring to security exposures and we should follow this trend. http://www.cve.mitre.org/about/introduction.html CVE isn't just somebody else's bugtrack numbers, they're big. Debian, Gentoo, RedHat, IBM, CA etc already do this. Unless somebody else wants to do this, I'll discuss on -www how we can get a page up on the .org site with this info on, so that we can be "CVE compatible". Best Regards, Simon Riggs ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
